►
From YouTube: OpenSSF Vulnerability Disclosures WG (June 1, 2022)
A
A
B
Yeah
and
even
better
medicine,
there's
a
park
right
outside
and
some
really
really
tall
cherry
trees,
and
so
the
cats
like
to
sit
there
and
watch
the
dogs
and
the
squirrels
and
the
birds,
and
sometimes
when
they're
lucky
they
get
crows
and
who
doesn't
love
watching
a
great
big
chicken
walking
around
out
there.
Oh
that's
awesome.
I
have
a
transparent
bird
feeder
on
my
glass
door,
so
they
can
see
all
of
the
birds.
It's
awesome.
C
B
A
A
D
D
Hello:
everyone,
I'm
yogesh
mittal,
ignore
my
daughter's
name
there.
I
work
at
redhat,
I'm
part
of
incident
response
team
at
red
hat
and
we
just
recently
got
some
some
changes
within
red
hat.
The
organization
changes
within
product
security
and
my
role
is
towards
vulnerability
management
piece
within
red
hat,
and
I
came
to
know
about
this
group
very
late.
Two
weeks
back,
I
missed
the
bus.
D
A
E
Hi
folks-
and
this
is
apologies-
camera
wise,
I'm
in
the
middle
of
traveling
now,
but
I
just
wanted
to
say
hello
to
everyone.
This
is
alex
casado
with
wipro,
and
I
see
my
my
colleague
here.
Vicky
is
also
on
the
line
so
nice
to
see
you,
but
I'm
part
of
the
cyber
security
services,
just
kind
of
been
been
looking
at
some
of
these
different
work
groups,
I'm
very
interested
to
contribute
along
the
way.
So
thank
you.
A
A
Awesome
so
my
proposal
for
this
group,
there
are
two
sections
that
very
directly.
I
feel
intersect
with
our
work
here:
streams,
five
and
six
and
there's
other
little
bits
and
pieces
here
and
there
throughout
the
rest
of
the
plan.
But
I
think
streams,
five
and
six
are
most
directly
related
to
our
work
here.
G
A
The
thing
would
be
and
I'll
post
a
link
to
the
mobilization
plan
into
the
zoom
chat,
but
the
open
ssf,
a
couple
of
us,
went
to
washington
and
talked
to
some
very
nice
people
from
the
u.s
government,
and
we
proposed
a
10-point
plan
to
help
address
some
of
the
gaps
in
the
open
source,
ecosystem
security
and
two
of
those
points,
I
think,
are
very
related
to
this
group.
A
stream
five
is
the
creation
of
an
open
source
security
incident
response
team
on
some
level.
A
A
So
I
I
don't
know
open
the
conversation
on
either
way.
We
could
have
a
sig
potentially
for
each
of
those
ideas.
Maybe
the
stream
six
is
just
something
we
do
kind
of
business
as
usual
stream.
Five,
I
feel
is
gonna
need
a
lot
of
focused
effort
up
front
to
talk
through
and
really
kind
of
shape,
the
plan
into
something.
That's
more
actionable
than
it
currently
is,
but
again,
let's
talk
about
it.
F
So
I'll
start
regarding
stream
five,
the
incident
response,
so
I
might
be
able
to
help
facilitate
someone
who
has
a
cdo
for
a
company
that
does
incident
response
as
a
service
to
maybe
talk
about
some
of
the
challenges
and
maybe
kind
of
direct
or
focus
on
some
of
the
key
points
that
we
want
to
address.
If
we
want
to
create
like
an
open
source
platform
or
or
structure
for
incident
response,.
A
Thank
you.
I
think
that
would
be
a
very
useful
contact
so,
and
my
intention
is
if
we
feel
this
is
something
we
want
to
move
forward
with.
I
would
reach
out
to
several
members
within
the
community
see
if
we
can
get
representatives
from
like
the
kubes
or
openstack
team
to
come
talk
to
this
group
to
kind
of
help
shape
that
opinion.
A
H
H
It
happened
over
a
very
short
period
of
time
and
I'll
just
to
level
set,
and
maybe
like
call
out
the
elephant
in
the
room
I
mean
I
sketched
out
most
of
number
five
and
realistically,
it
has
not
even
closed
to
have
the
input
that
it
really
needs.
So
for
anyone
that
would
like
to
critique
it
suggest
new
directions,
for
it
help
us
make
it
much
better
than
what
it
is
right
now.
A
Yeah
and
I'll-
I
don't
know
if
you
were
on
the
call
the
last
time
jennifer,
but
because
I
had
such
vigorous
feedback
on
the
original
draft.
Mr
bellendorf
appointed
me
the
facilitator
for
the
dc
stream
five
meeting
and
of
the
folks
in
the
room
in
general.
The
group
thought
the
idea
had
merit
and
they
wanted
to
move
forward.
A
A
A
I
The
news,
so
actually
it's
eric
I've
them
there.
I
was
I
communicated
with
emily
about
next
meeting,
so
she's
good
to
go
for
next
time.
I
guess
I
should
have
put
in
that
little
thing.
I
also
didn't
know
if
this
is
the
sort
of
thing
you
meant
by
open,
so
I
just
put
it
here,
because
okay
yeah
so
she's
she's
fine
to
meet
with
the
group
next
time
june
15th
and
I
I
thought
what
you
were
looking
for-
was
some
sort
of
like
a
little
demonstration
and
or
answer
questions.
A
A
A
So
there's
a
group
of
folks
and
emily
is
the
developer,
created
a
tool
called
vince
that
is
used
for
helping
coordinate
vulnerabilities.
It's
pretty
heavily
used
within
the
vendor
ecosystem
and
we
thought
it
was.
We
had
a
presentation
a
long
time
ago
talking
about
it
and
they
have
finally
open
sourced
the
code
for
vince.
So
this
is
potentially
a
platform
that
we
could
leverage
in
trying
to
like,
for
example,
empowering
stream
five
to
contact
people.
A
I
G
A
B
B
Yes
absolutely
and
we
love
love
feedback
by
no
means
do
I
want
me
and
jonathan
to
be
the
only
ones
that
have
reviewed
and
worked
on
this.
So
I'm
super
appreciative
of
any
feedback.
A
lot
of
sections
are
still
very
work
in
progress.
So
if
you
see
anything
that
like
looks
like
it's
unfinished,
that's
probably
because
it
is
unfinished.
G
J
F
A
A
G
I
I
haven't
yeah,
I
I
respect
the
perspective.
I
also
know
that,
as
a
reader
ib
hd,
I
would
like
to
write
I'm
trying
to
write
a
document
that
I
would
want
to
read,
and
so
that's
the
mindset
that
I'm
going
into
this
with
is
like.
I
would
like
to
make
this
something
that
is
memorable.
That
is
valid
like
it's.
It's
not
a
block
of
just
text
right,
because
I'm
gonna
look
at
a
guide
like
this.
That
has
just
a
wall
of
text.
I'm
gonna
skim
it
and
not
care
right.
G
If
there's
something
entertaining
to
it,
I'm
gonna
invest
the
time
to
sit
down
and
actually
read
through
it
as
a
security
researcher,
that's
the
ten
cents
that
I
am
kind
of
coming
at
it
from,
and
that's
why
I
made
the
intentional
decision
to
say:
okay,
like
I'm,
gonna
write
this
the
way
that
I
would
want
to
read
like
a
document
as
a
security
researcher
who's.
You
know,
there's
tons
of
things
that
I
can
read
all
over
the
internet,
all
right.
Why
do
I
want
to
sit
down
and
read
this
one?
Oh,
this
looks
entertaining.
B
Vicky,
I'm
I'm
going
to
kind
of
walk
the
line
between
the
two,
because
I
agree
that
memes
are
maybe
not
the
best
thing
and
I
haven't
seen
the
memes
since
they
were
added.
I
do
know
that
if
their
animated
gifs
as
much
as
I
love
them
being
a
twitter
native,
they're
gonna,
distract
me
ridiculously
anything
moving
on
the
screen
and
I'm
right
there
and
I'm
not
paying
attention
to
the
word.
So
that's
going
to
be
a
problem,
so
I
also
think
that
they're
not
especially
professional.
B
I
don't
know
that.
That's
really
a
problem,
I
think,
perhaps
to
make
it
more.
So
I'm
gonna
put
on
my
book
editor
hat
here.
We
can
change
the
language
to
make
it
more
accessible.
We
can
add
diagrams
to
make
it
more
accessible.
We
can
add
pieces
of
artwork
to
make
it
more
accessible
things
that
don't
move.
You
know
xkcd
if
it's
appropriately
cited
because
it
is
cc
by
nc.
B
Oh,
my
god
yeah
I
wasn't
pointing
any
fingers,
but
since
well
what
he
did
no,
no,
no
and
then
you
know
highly
casual
sort
of
thing.
You
know
split
that
difference
in
there
so
be
serious
about
the
content,
but
perhaps
be
casual
in
the
way
we
present
it.
So
I'm
sure
when
I
see
the
memes,
I
might
have
some
thoughts
about
that
and
recommendations
for
how
to
shift
it.
But
I
I
I
probably
don't
think
memes
are
specifically
the
right
thing,
but
maybe
there's
a
way.
B
We
can
do
something
with
that
idea.
So
I'm
I'm
with
jonathan,
want
to
make
it
easy
for
people
to
actually
get
through
the
damn
thing,
but
we
also
want
them
to
remember
the
content
and
not
the
memes
right
and
that's
part
of
the
problem
with
the
memes
and
that's
why
really?
You
shouldn't
be
putting
too
many
of
those
on
your
screen
when
you're
presenting,
because
everyone's
trying
to
figure
out
what
the
meme
means
and
they're
not
listening
to
you.
So
you
have
to
consider
your
audience's
needs,
and
so
that's
too
many
words.
B
A
B
C
L
Yeah,
but
I
think
the
reality,
though,
is
that
we
that
the
tech
editors
can
help,
but
they
can't
create
silk
purses
from
sao's
ears,
so
it
needs
to
be.
You
know,
sort
of
deficient
shape
to
start
with.
You
know
they
can
help,
make
it
clear
what
you're
saying,
but
they
can't
decide
what
you're
going
to
say.
B
Sorry
david,
would
you
be
able
to
assuming
that
having
a
tech
editor
review?
This
is
an
option
that
we
have
available
to
us.
Can
you
find
out
how
long
they
would
need
to
review
this?
Basically,
so
we
can
try
to
get.
I
think
our
goal
is
to
have
this
done
by
august,
but
I
assume
we
would
need
it
sooner
for
a
tech
review
at
the
very
least,
and
to
have
other
reviews.
H
A
So
some
news
about
our
goal.
Yes,
we
do
have
the
goal.
We
were
hoping
to
get
this
done
to
announce
at
black
hat.
Sadly,
my
proposal
for
the
call
for
papers
was
politely
declined,
so
we
don't
have
that
necessarily
as
a
hard
deadline.
I
still
would
like
to
keep
to
that
if
we
can,
but
we
don't
have
a
platform
at
black
hat,
at
least
to
share
more
information
about
this,
but
that
doesn't
mean
we
couldn't
still
synchronize
with
it.
G
G
B
G
B
As
far
as
editors,
I've
worked
with
technical
editors
for
other
sub
foundations
of
lf,
so
I
know
they're
there
and
how
much
attention
you
can
get
from
them
really
depends
upon
their
workload
at
that
time.
But
madison's
question
of
how
much
lead
time
is
always
a
respectful
one
right
and
something
we
should
certainly
keep
in
mind,
but
now
that
we've
got
a
little
more
flexible
date,
maybe
that
can
help
us
a
bit.
A
And
we
also
need
to
get
in
the
queue
of
the
open,
ssf's
marketing
director
now
a
bit
too
once
we
are
more
solid
on
it
and
have
a
little
bit
better
idea
of
exactly
when
we
ready
to
get
on
her
plate
so
that
we
can
that
committee's
plate,
so
that
they
can
figure
out
how
the
foundation
wants
to
advertise.
It.
C
G
A
B
One
question
that
I
had
while
rewriting
it
that
I
added
as
a
comment,
but
I
wanted
to
bring
up
to
the
larger
group.
It
seems
like
having
a
glossary,
could
be
helpful
and
it
seems
like
we
could
have
a
lot
of
words
from
the
first
guide.
That
could
be
helpful
too.
So
there
were
some
things
that
were
defined
there.
A
lot
of
things
that
we're
defining
here
too,
and
I'm
realizing
like
adding
the
definitions
in
the
text
can
be
a
little
much.
B
A
B
I
realized
that
we
were
like
defining
the
same
term
in
both
places,
so
it
made
sense
to
do
it
in
the
first
stop
right,
because
that
was
all
there
was
at
the
time.
But
as
for
developing
more
documents,
I
think
having
a
single
glossary
can
probably
make
more
sense,
so
I'm
happy
to
start
putting
stuff
there
as
we're
working
on
this.
If
we
are
okay
with
that.
F
L
L
B
L
J
The
kind
of
difference
between
vdp
and
bbp
section,
I
guess,
just
kind
of
tooling,
through
this
figuring
out
where
that
might
fit
best,
because
right
now
we
still
have
it
just
in
the
brainstorming
notes
section.
So
I
guess
that
that's
something
I'm
happy
to
kind
of
take
a
look
at
and
maybe
I'll
take
a
stab
at
placing
it
somewhere
else.
J
Embedding
it
somewhere
else
within
the
document
or
leaving
it
as
its
own
section,
but
just
moving
it
up
so
that
it's
it's
out
of
the
brainstorming
notes,
area
and
then
totally
open
and
happy
for
feedback
for
where
that
should
go
and
making
sure
it's
not
duplicative,
because
I
think
it
still
could
be
a
bit
duplicative
from
what
we
already
have
up
top.
So
that's
something
I'm
happy
to
take
a
stab
at.
A
J
G
A
I
think
I'll
officially
put
it
as
a
vote
to
the
mailing
list,
so
I
would
encourage
everyone
to
read
your
mail.
You're
gonna
get
two
mails
from
me,
one
about
a
doodle
for
the
sig
and
then
I'll
do
one
about
the
memes
so
that
we
can
kind
of
have
a
group
consensus
on
how
we
would
like
that
to
go
forward.
A
L
Well,
that's
open,
ai,
so
yeah,
so
quick,
quick
context
for
the
fundamentals
course
on
how
to
develop.
Secure
software,
we'd
like
to
spice
up
a
little
bit
add
more
pictures.
So
I
asked
the
openai
folks
if
we
could
use
their
dolly
too.
So
there's
two
different
answers.
One
is
the
legal
answer
and
one
is
the
end.
You
have
access
to
tool.
L
The
legal
answer
from
them
is:
yes,
you
know
if
it's
freely
available
non-profit
you
know
they
do
have
some
constraints,
but
I
can't
believe
that
I
mean
they
don't
want
violence,
they
don't
want
nudity,
they
don't
want
individual
actual
humans
pictures
faces
on
them,
but
I
think
those
are
all
their
requirements
are
all
doable.
The
bigger
problem
is
access
to
the
dual:
they
run
it
as
a
service,
and
I
have
I
have
put
into
their
lists,
and
I
have
made
various
requests
out
to
people.
L
I
know
to
try
to
get
me
in
front
of
the
queue
and
that's
been
totally
unsuccessful
and
trying
to
get
to
the
head
of
the
lion
curses.
So
somebody
knows
a
way
to
sneak
ahead
of
the
line.
You
know
and
knows
the
secret
red
carpet.
Handshake
that'd
be
awesome,
but
I
do
like
the
idea
of
trying
to
use
some
generated
images
if
nothing
else,
they
can
be
interesting
and
we
do
have
a
graphics
department.
F
L
B
I
think
that
the
idea
of
using
the
ai
to
generate
images
is
interesting
from
a
just
entertainment
point
of
view.
I
think,
from
a
functional
point
of
view,
what
we're
going
to
get
are
our
images
that
are
going
to
allow
our
readers
to
scratch
their
heads
and
think
more
about
what
does
this
mean
and
where
did
it
come
from,
and
how
does
it
relate
to
the
content?
B
So
we
might,
it
might
seem
easier
and
more
fun
to
use
this
shiny
new
toy,
but
I
think
it's
going
to
be
more
effective
for
our
audience,
who
we
should
always
be
putting
front
and
center
to
for
us
to
dig
through
creative
commons
images
and
or
create
diagrams,
if
necessary,
if
relevant,
to
the
content
than
it
is
to
come
up
with
shiny
new
ai
generated
images.
I'm
sorry
to
rain
on
your
parade.
B
I
am
the
meanest
ape
in
the
room
and
I
apologize
for
that,
but
from
an
audience
perspective,
I
just
don't
think
it's
going
to
be
effective.
I
I
I
would
like
to
be
proven
wrong.
You
know
I'm
happy
to
be
proven
wrong,
but
I've
worked
with
way
too
many
editors
in
my
life
for
this
not
to
set
off
red
flags.
L
Well,
since
we
don't
have
access
to
the
tool,
we
have
no
way
to
know
whether
or
not
we
can
make
it
generate
ac
interesting.
You
know
not
just
interesting
but
useful
enough.
What's
intriguing
about
these
tools,
is
they
don't
just
say,
create
random,
arbitrary
images,
but
you
give
them
a
text
prompt
and
it
creates.
B
I've
seen
some
of
the
output
from
the
text
prompts,
and
they
are
hilariously
ludicrous
in
many
cases
and
which
is
great
and
it
makes
for
you
know
great
social
media
engagement,
and
I
know
that
you
know
we're
kind
of
doing
the
whole
airplane.
I'm
only
seeing
the
things
that
they
find
most
entertaining
and
not
the
stuff
that
they
find
to
be
less
entertaining,
but
still
from
the
selection.
I've
seen
I'm
not
convinced
that
we're
going
to
get
things
that
aren't
head
scratching
out
of
it.
L
J
L
G
G
I
think
the
idea
here
is
like
let's
expand
the
range
of
images
that
we
can
find
to
like
satisfy
the
like
content
that
we're
trying
to
match
over,
like
what
creative
commons
like
pools
of
images,
are
going
to
have
right
like
let's,
let's
make
that,
let's
give
us
a
slightly
larger
pool
of
like
potential
into
images
we
can
inject
into
as
content
to
to
help
tell
the
story
not
like.
I
don't
think
the
goal
is
like
this
is.
This
is
interesting
like
let's
sew
this
image
in
just
because
it
like
looks
interesting.
A
A
M
Can
hear
me
yeah
awesome,
so
I
haven't
been
there
for
a
while.
So
I
haven't
just
started
reading
through
the
document
now
and
it
looks
fine
there's
some
thing
like
there's:
sort
of
coordinated
disclosures
embargoes,
sort
of
things
and
how
they're
usually
dealt
with
should
probably
be
a
bit
better
explained.
G
I
madison
and
I
have
been
working
on
other
parts
of
the
document.
What
is
the
current
status
of
the
so
I
can't
remember
who
was
working
on
it?
The
the
difference
between
vdp
and
bug,
bounty
program?
Where
is
the
is
that
content?
Currently?
Is
it
what's
the
state
of
it?
Is
there
more
of
it
or
is
it
still
being
worked
on.
J
J
Well,
it's
brainstorming
notes
section,
but
the
content
itself
is
pretty
much
what
we
have
and
will
just
need
to
be
built
into
paragraph
form,
if
that
even
is
necessary.
Sometimes
bulleted
lists
can
be
just
as
professional
and
easy
to
follow
as
well.
So
it's
just
about
finding
the
right
home
for
it
really
more
than
it
is.
I
think,
at
this
point,
a
super
detailed
content
aspect.
K
A
K
B
Yeah,
I
was
going
to
suggest
the
checklist
idea,
but
also
once
the
document
is
more
or
less
done.
I
know
like
we're
just
right
there
once
the
document
is
more
or
less
done.
I
would
also
recommend
that
we
add
a
max
of
like
half
page
or
something
like
that
executive
summary
at
the
top
nobody's
going
to
read
the
entire
thing.
B
We
know
that
if
they
do
we'll
be
lucky
but
condense
it
down
to
just
the
top
bit
and
they're
more
likely
to
read
that
right
and
then,
if
you
need
more
information
drill
down
for
for
that,
and
so
like
the
executive
summary
the
tldr,
they
call
it
what
you
all
will,
but
just
to
acknowledge
that
it
will
be
a
long
document.
We
respect
your
time.
B
A
G
G
G
G
I
maybe
for
that,
a
like
side-by-side
comparison
might
be
a
better
con
right
like
what
is
the
vddp.
What
is
the
blood
learning
program?
I
do
want
to
make
sure
that
we
include
in
this
document
like
a
very
explicit
warning
to,
and
I
don't
know
how
to
communicate
this,
like
maybe
like
a
a
banner
warning
whatever.
But
but
you
know,
as
have
as
I
have
experienced
a
lot,
especially
with
bug
binding
programs
run
by
hacker.
A
You
need
to
remember
that
our
primary
stakeholder
in
this
is
trying
to
support
and
improve
the
open
source
ecosystem
and
maintainers.
So
we
need
to
be
very
careful
about
how
we
word
things
and
try
to
remain
neutral
bug.
Bounty
programs
are
a
valid
option
and
some
projects
elect
to
do
that.
It
is
not
common
practice
right.
We
need
to
be
very
measured
in
how
we
state
that,
but
yeah
we
absolutely
could
put.
G
Right
yeah,
it's
not
about,
but
I
got
blockbuster
apartments-
are
wonderful
right.
It's
about
the
nda
that
it
gets
associated
like
the
nda
being
the
problem
around
like
enforcing
like
you
can't
just
you
disclose
a
vulnerability
to
this
program.
You
can't
you
it's
not
allowed
to
be
public
afterwards
right,
because
a
lot
of
stuff
in
open
source
requires
a
cd
before
as
a
part
of
the
disclosure
to
actually
get
it
to
the
end
users
to
to
get
them
fixed
right.
G
We're
running
this
into
this
issue
with
the
amazon
security
team
where
they're,
like
you
know,
hey,
like
we've,
never
handled
this
before,
like
we'd
love
to
support
you,
but
we've
not
you
know,
we've
not.
We
don't
normally
do
one
of
the
disclosure
and
our
our
program
for
handling
this
stuff
is
it
has
an
nda
and
I'm
like.
Can
you
give
me
a
wafer,
then
right,
like
you,
like
I'm
happy,
you
know.
I
love
a
bounty
out
of
this,
but,
like
you
gotta
give
me
a
waiver
on
your,
not
nda,
because
this
needs
to
get
disclosed.
K
G
I
mean
it's
the
it's
a
common
issue
when
you're
disclosing
a
security
vulnerability
to
a
corporate
entity
that
run
that
manages
an
open
source
project.
It
is,
it
is
common.
In
that
context,
it
is
not
common
to
open
source
in
general,
but
as
soon
as
you
are
dealing
with
a
corporate
entity
that
owns
an
open
source
project,
it
is
a
common
thing
to
encounter
in
that
context,.
G
Netflix
I've
run
into
this
issue
with
amazon
expedia
expedia
hotels.com
like
this
is
these
are
cases
that
I
concrete
examples
of
cases
that
I've
run
into
this,
where
you
report
a
vulnerability,
for
example,
expedia
they
had
a
security
at
email
address.
You
report
the
vulnerability
to
the
security
at
email
address.
They
send
you
an
email
back,
saying
great.
G
So
yes,
I
have
I.
I
have
first-hand
experience
with
this
exact
problem
and
it's
it's
it's
common
when
you're
dealing
with
these.
With
with
these,
it's
not,
I've
talked
to
alex
rice,
right
and,
and
I've
talked
to
what's
his
name,
who
runs
bug,
crowds,
he's
the
cto
bug
crowd
and
they
were
like
that's
not
the
way
it
should
work
and
I'm
like
I
agree,
that's
not
the
way
it
should
work
like
that's
not
the
way.
G
We
want
these
things
to
work,
but
it's
the
way
that
these
programs
have
ended
up
getting
set
up,
stood
up
by
the
legal
teams
that
have
worked
with
these.
These
security
teams
to
establish
them
and
you
have
to
challenge
them
you're,
just
like
no.
There
is
not
going
to
be
an
nda
in
this,
like
that's
an
explicit
step
that
has
to
go
into
this
and
it's
annoying
it.
G
It
really
annoys
me,
like
it's,
not
part
of
the
game
that
I
want
to
play,
but
it's
something
you
have
to
consider
because
it's
like
otherwise,
you
end
up,
like
you
know,
in
a
case
where
you're
like
well
you're
supposed
to
vulnerability
but
you're
allowed
to.
We
can't
we're
not
going
to
let
you
publicly
dispose
it.
It's
like.
That's,
that's,
that's,
you
know.
You're,
not
protecting
users
and
the
company
gets
to
to
hide
hide
their
dirty
laundry.
N
Yeah,
I
think
that
we
won't
solve
this
complex
challenge
on
this
call
today,
but
I
did
want
to
you
know
basically
voice
support
for
further
investigation
on
this,
because
I
do
think
it's
a
legitimate
concern.
There's
also
an
inherent
cultural
conflict.
Maybe
is
a
one
way
to
think
about
it
between
how
a
enterprise
would
view
this
versus
how
a
community
would
view
this
and
then.
H
Just
kind
of
briefly
in
support
of
jonathan's
point:
I've
done
hundreds
of
disclosures
in
the
last
few
years
and
there's
definitely
an
uptick
in
people
being
routed
through
bug,
bounty
platforms,
even
when
they're
not
engaging
in
bug
bounty.
In
fact,
like
the
disclosures
that
we're
typically
doing,
are
explicitly
not
wanting
a
bounty
because
usually
there's
a
client
client
conflict
for
us
anyway,
and
even
then
there
are
certain
teams
and
there's
been
a
large
number
of
them.
H
A
G
That
is
ethically
in
the
in
the
wrong
for
having
released
a
piece
of
software
without
adequately
testing
it
right.
So
there's
this
whole
like
ethics
component
about
like
and
and
it
all
has
to
do
with
perspective,
and
so
the
the
way
that
the
industry
has
moved
has
been.
Let's
move
towards
coordinated
disclosure
where
a
researcher
and
the
organization
decide
about
how
the
vulnerability
closure
is
going
to
occur,
and
then
that's
how
it
flies.
G
O
Yeah,
I
think
ethics
goes
both
ways.
Not
all
people
who
report
vulnerabilities
are
altruistic.
I
experienced
firsthand
in
the
apache
foundation
of
my
project
that
we
a
a
comp,
a
person
who's
starting
a
new
company
withheld
vulnerabilities
until
we
produced
a
first
release
of
a
of
a
project
there.
So
we
have
you
know
we
need
to
bear
in
mind
that
you
know.
G
O
When
it
comes
to
drop
it,
but
I'm
saying
it's
like
they
should
be
disincentivized
by
saying
when
you
report
it,
you
I'm
saying
there
might
be
a
need
for
some
agreement,
you
don't
like
it,
because
people
hold
them
back.
I'm
saying
that
goes
both
ways.
So
people
are
holding
back
vulnerabilities
because
they're
going
to
profit
from
it.
A
A
Thoughts
and
put
them
into
the
document
that
we
can
kind
of
articulate
iterate
over
them
there.
This
is
a
good
conversation.
I
appreciate
everyone's
passion
on
the
topic
and
we
will
talk
to
everyone
in
two
weeks
and
you'll
see
two
emails
from
me
very
soon,
and
please
focus
your
energy
in
writing
the
con
your
ideas
down,
and
we
can
figure
out
the
best
way
that
this
group
can
get
that
out
and
share
it
with
the
world.
Thank
you.
Everybody
appreciate
your
time
have
a
great
day.